From 0ebb49f06303e47a2dec7fb12ac952cc5a407e2d Mon Sep 17 00:00:00 2001
From: Petr Lautrbach <lautrbach@redhat.com>
Date: Fri, 10 Jan 2025 14:36:16 +0100
Subject: [PATCH] Filter out EPEL related modules

Resolves: RHEL-73505
---
 modules-filtered.lst | 67 ++++++++++++++++++++++++++++++++++++++++++++
 selinux-policy.spec  |  9 ++++--
 2 files changed, 74 insertions(+), 2 deletions(-)
 create mode 100644 modules-filtered.lst

diff --git a/modules-filtered.lst b/modules-filtered.lst
new file mode 100644
index 00000000..659c892f
--- /dev/null
+++ b/modules-filtered.lst
@@ -0,0 +1,67 @@
+aiccu
+amtu
+antivirus
+apcupsd
+arpwatch
+asterisk
+awstats
+bcfg2
+bitlbee
+boinc
+brctl
+cobbler
+collectd
+conman
+cpufreqselector
+cvs
+ddclient
+dnssec
+drbd
+entropyd
+exim
+fail2ban
+gdomap
+hddtemp
+ktls
+l2tp
+linuxptp
+lircd
+livecd
+lttng-tools
+mailman
+man2html
+milter
+minidlna
+mock
+mongodb
+mplayer
+munin
+nagios
+nsd
+nslcd
+ntp
+nut
+openct
+openfortivpn
+openvpn
+pdns
+pingd
+postgrey
+prelude
+privoxy
+prosody
+puppet
+pwauth
+rhev
+rkhunter
+rlogin
+rshd
+smokeping
+tcpd
+tcsd
+tlp
+tor
+vnstatd
+vpn
+zabbix
+zebra
diff --git a/selinux-policy.spec b/selinux-policy.spec
index d229fe9e..f6d54185 100644
--- a/selinux-policy.spec
+++ b/selinux-policy.spec
@@ -32,6 +32,8 @@ Source3: macro-expander
 # Git repo: https://github.com/containers/container-selinux.git
 Source4: container-selinux.tgz
 
+# do not ship these modules
+Source15: modules-filtered.lst
 # modules enabled in -minimum policy
 Source16: modules-minimum.lst
 
@@ -321,9 +323,11 @@ awk '$1 !~ "/^#/" && $2 == "=" && $3 == "base" { printf "%%s ", $1 }' ./policy/m
 %define nonBaseModulesList() \
 modules=`cat %{buildroot}%{_datadir}/selinux/%1/modules.lst` \
 for i in $modules; do \
-    if [ $i != "sandbox" ];then \
+    if [ $i != "sandbox" ] && ! grep -E "^$i$" %{SOURCE15}; then \
         echo "%verify(not md5 size mtime) %{_sharedstatedir}/selinux/%1/active/modules/100/$i" >> %{buildroot}%{_datadir}/selinux/%1/nonbasemodules.lst \
-    fi; \
+    else \
+        rm -rf %{buildroot}%{_sharedstatedir}/selinux/{targeted,minimum,mls}/active/modules/100/$i \
+    fi \
 done;
 
 # Make sure the config is consistent with what packages are installed in the system
@@ -550,6 +554,7 @@ Obsoletes: cachefilesd-selinux <= 0.10-1
 Conflicts:  seedit
 Conflicts:  389-ds-base < 1.2.7, 389-admin < 1.1.12
 Conflicts: container-selinux < 2:1.12.1-22
+Recommends: (selinux-policy-epel-targeted if epel-release)
 
 %description targeted
 SELinux targeted policy package.